CVE-2024-1488

NameCVE-2024-1488
DescriptionA vulnerability was found in Unbound due to incorrect default permissions, allowing any process outside the unbound group to modify the unbound runtime configuration. If a process can connect over localhost to port 8953, it can alter the configuration of unbound.service. This flaw allows an unprivileged attacker to manipulate a running instance, potentially altering forwarders, allowing them to track all queries forwarded by the local resolver, and, in some cases, disrupting resolving altogether.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
unbound (PTS)jessie, jessie (lts)1.4.22-3+deb8u4fixed
stretch1.6.0-3+deb9u2fixed
buster (security), buster, buster (lts)1.9.0-2+deb10u4fixed
bullseye1.13.1-1+deb11u2fixed
bullseye (security)1.13.1-1+deb11u3fixed
bookworm (security), bookworm1.17.1-2+deb12u2fixed
sid, trixie1.22.0-1fixed
unbound1.9 (PTS)stretch (security)1.9.0-2+deb10u2~deb9u2fixed
stretch (lts), stretch1.9.0-2+deb10u2~deb9u4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
unboundsource(unstable)(not affected)
unbound1.9source(unstable)(not affected)

Notes

- unbound <not-affected> (RedHat specific patch vulnerability)
https://bugzilla.redhat.com/show_bug.cgi?id=2264183
- unbound1.9 <not-affected> (RedHat specific patch vulnerability)

Search for package or bug name: Reporting problems